1{ config, lib, fleet, ... }: with lib; with fleet; let2 cfg = config.networking.wireguard;3 genWgKey = { owners }: {4 inherit owners;5 generator = mkSecret (6 { pkgs, encryptCmd }: {7 utils = [ pkgs.wireguard-tools ];8 script = ''9 key=$(wg genkey)10 pub=$(echo $key | wg pubkey)1112 mkdir -p $out13 echo $key | ${encryptCmd} >$out/key14 echo $pub >$out/pub_key15 '';16 }17 );18 };19 genWgPsk = { owners }: {20 inherit owners;21 generator = mkSecret (22 { pkgs, encryptCmd }: {23 utils = [ pkgs.wireguard-tools ];24 script = ''25 key=$(wg genpsk)2627 mkdir -p $out28 echo $key | ${encryptCmd} >$out/key29 '';30 }31 );32 };3334 hostKeys = listToAttrs (35 map36 (37 hostName: {38 name = "wg-key-${hostName}";39 value = genWgKey {40 owners = [ hostName ];41 };42 }43 )44 hostNames45 );46 psks = listToAttrs (47 map48 (49 { a, b }: {50 name = "wg-psk-${a}-${b}";51 value = genWgPsk {52 owners = [ a b ];53 };54 }55 )56 hostsCartesian57 );58in59{60 options.networking.wireguard = with types; {61 enable = mkEnableOption "wireguard";62 interface = mkOption {63 type = str;64 description = "Interface name for wireguard network";65 default = "fleet";66 };67 port = mkOption {68 type = int;69 description = "Port, on which wireguard interface should listen";70 default = 51871;71 };72 allowedIPs = mkOption {73 type = attrsOf (listOf str);74 description = "Per host allowed ips";75 };76 };77 config = mkIf cfg.enable {78 secrets =79 (hostKeys // psks);80 hosts = hostsToAttrs (81 hostName: {82 modules = [83 {84 networking.wireguard.enable = true;85 networking.wireguard.interfaces.fleetwg = {86 privateKeyFile = "/run/secrets/wg-key-${hostName}";87 peers = map88 (89 peer:90 let91 pair = hostsPair hostName peer;92 in93 {94 publicKey = config.secrets."wg-key-${peer}".data.key;95 presharedKey = "/run/secrets/wg-psk-${pair.a}-${pair.b}";96 allowedIPs = cfg.allowedIPs.${peer};97 }98 )99 hostNames;100 };101 }102 ];103 }104 );105 };106}